this is done basically by verifying that the CA is set in basic constraints, and then that the key usage allow certificate signing.